Chapter 2 showed you the basics of each of the core policy types, as well as what happens behind the scenes. This chapter will take that knowledge and extend it into the Endpoint Security blade within Microsoft Intune. You will find out how to secure your devices with the various policies and settings available.

We will configure the four policies that are most critical in a new environment: Antivirus, BitLocker, Firewall, and Advanced surface reduction (ASR). These, combined with your baseline, will give you an excellent security footprint to build upon.

You can configure a lot of these security settings within standard policies as well as within Endpoint Security, but using the dedicated Endpoint security blade gives you a couple of advantages:

• On the policy overview, you can see the status of your policies and devices, as well as running remedial actions where required
• With Intune’s role-based access control...

For this chapter, you will need a modern web browser and a PowerShell code editor such as Visual Studio Code (VS Code) or PowerShell ISE.

All of the scripts that are referenced in this chapter can be found here: https://github.com/PacktPublishing/Microsoft-Intune-Cookbook/tree/main/Chapter3.

Before we start configuring our policies, we should look at best practices to ensure our Windows devices are as secure as possible. For this, there are resources available that can offer guidance.

An example of this is the NCSC Windows guidance, available at https://www.ncsc.gov.uk/collection/device-security-guidance/platform-guides/windows.

You can also download a CSV file including all recommended settings or pre-configure Group Policy Objects (GPOs) that you can import directly into Intune (as covered in Chapter 2). These files are available here: https://github.com/ukncsc/Device-Security-Guidance-Configuration-Packs/tree/main/Microsoft/Windows.

You can find best practice recommendations from CIS regarding their Intune baselines at https://www.cisecurity.org/benchmark/intune.

The CIS downloads also include GPOs that you can import into Intune directly.

Tip

While simply enabling every setting would provide you with a quick, secure environment,...

Security baselines are a quick start group of settings selected by Microsoft to quickly secure your tenant. They are available for Windows, Edge, Windows 365, and Microsoft Defender for Endpoint.

While they do not have the granularity of using the more bespoke Settings catalog-backed policies (covered in this chapter), they are a quick, easy, and useful way to get you up and running.

Should you decide to move to the more dedicated policies, make sure you change the associated setting in your baseline to Not configured; otherwise, you will find yourself with policy conflicts. There is an example JSON extract in this book’s GitHub repository that you can import (using the script found at https://andrewstaylor.com/2022/12/07/intune-backing-up-and-restoring-your-environment-new-and-improved/) into your environment and amend accordingly to get you started.

Microsoft also updates the baseline policies on a regular cadence to ensure you are always...

This recipe will run through how to configure your antivirus policy and also configure the UI on your end user devices to restrict what the user can and cannot see.

How to do it…

We will start with the antivirus policy:

1. Navigate to Endpoint security in Intune, click Antivirus, and then click Create Policy.

Important note

You may have noticed the Reusable settings tab at the top. This is currently only for firewall rules, so you can ignore it for now. We will cover it in the Configuring Windows Firewall recipe.

2. For the policy type, select Microsoft Defender Antivirus in the Profile dropdown. We will cover Security Experience in the Configuring Windows Security Experience recipe.
3. Set the policy’s Name and Description.
4. Configure the settings as per your environment. If there are any you are not sure about, the lowercase i in a circle next to each field will give you further details. Once your settings...

This one is not quite as critical, but it is worth configuring so that users do not get bombarded with notifications.

How to do it…

We will now configure the Windows Security Experience policy to amend the end user experience when looking at the security settings within Windows:

1. Navigate back to the Antivirus menu in Endpoint security and create a new policy, this time selecting Windows Security Experience.
2. Set the policy’s Name and Description and click Next.
3. Most of these are personal preferences, but right at the bottom, make sure you enable Tamper Protection. Since this is a corporate machine, disable Family UI. After that, make any changes that apply to your environment.
4. Click Next.
5. Assign the policy to Autopilot Devices.
6. Then, review and click Create.

We have now configured Windows Security Experience for our devices.

Automating it

Let us replicate how we configured our Security...

Another important thing to consider is BitLocker drive encryption. While antivirus and firewall protect the machine when in use, this protects the data if your machine is lost or stolen. You should always use the strongest encryption possible and make it a requirement for device compliance and conditional access (more on those in Chapter 8).

There are specific settings for this policy to enable silent encryption during Autopilot, so you need to make sure these are set correctly.

How to do it…

The following steps will show you how to configure your BitLocker drive encryption policy:

1. Within Endpoint security, click on Disk encryption and create a policy.

   Set the policy’s Name and Description and click Next.

2. Set the Base Settings values as per the following screenshot:

Figure 3.1 – BitLocker – Base Settings

3. Set the Fixed Drive Settings values as per the following screenshot...

When we look at Windows Firewall, we will be introduced to the Reusable settings option. An environment will often have multiple firewall policies for different user and device groups to allow a piece of software to run or to further restrict a selection of devices. The idea behind Reusable Settings is that you can configure your specific firewall rules and then apply those across policies without needing to manually add them each time.

To give you an idea, this rule would block all Google domains:

Figure 3.5 – Windows Firewall – Reusable Settings

In this recipe, we will stick with a basic firewall to block incoming traffic and allow outbound traffic as our first line of defense.

How to do it…

Now that we have looked at reusable settings, follow these steps to configure the standard Microsoft Defender firewall policy:

1. In the portal, navigate to Endpoint security, then Firewall. Choose Create...

There are some more well-known and documented weak points in a standard machine build that bad actors like to target. Javascript, Office Macros, and Adobe Acrobat Reader are some examples.

Fortunately, there are built-in ASR rules that can be enabled to block these from executing. Additionally, there is the option to enable them in Audit mode if there are concerns about the potential impact on your application.

Getting ready

To configure these, head to the Endpoint security blade, click Attack surface reduction, and choose to Create a new policy. Select Attack surface reduction from the list of options.

Once again, you will see that we have reusable settings here; this is where you can specify USB and printer device IDs. These are not relevant to ASR rules; they are for some of the other policies that can be configured in this blade.

How to do it…

These steps will run you through creating your new ASR policy:

1. Set your policy’...

Microsoft Defender for Endpoint gives you additional controls and monitoring on your devices.

Getting started

While it is managed from within Intune, you first need to onboard your tenant and devices into the service.

Important note

You need a Microsoft Defender for Endpoint P1 or P2 license to complete the following steps (a free trial can be obtained from the Microsoft Admin Center).

To start, we need to navigate to Security Portal at https://security.microsoft.com.

How to do it…

Now that we are in the portal, follow these settings to enroll your devices:

1. Click Settings.
2. Then, click Endpoints.
3. Now, scroll to the bottom; there should be a setting marked Microsoft Intune connection. Slide that to On.
4. Then, click Save Preferences and return to the Intune portal.
5. Navigate to Endpoint security, then Endpoint detection and response, and create a new policy (Windows 10, Windows 11 and Windows Server)...

Although it has been around for years for on-premises directories, this is a very new addition for Entra-managed devices, largely due to the inclusion of the LAPS client within Windows itself rather than needing an additional MSI and AD (Active Directory) schema update.

Before looking at deploying LAPS, it is first worth understanding what it does and why you may want to use it. LAPS is a system that rotates the local admin password on a machine to add an extra layer of security as it ensures no two machines have the same password; this helps prevent lateral traversal attacks.

With the introduction of Autopilot, Intune, and Entra ID, this was removed as the admin account was disabled by default. There are options available for managing these devices (such as the Cloud Joined Device Local Admin Role or Local User Group Membership), but they both have disadvantages (the role is for all devices and the membership is one policy per device).

Windows LAPS...

A new feature to Intune is Application Control, which extends the Windows Defender Application Control (WDAC) functionality but with an easier deployment.

There are two methods of deploying Application Control – via a GUI with boxes to select and using an XML file created for WDAC.

For this example, we will be using the GUI method, but if you would rather have more granular control, you can use the WDAC wizard from Microsoft to assist in creating the file.

You can read more about that here: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.

How to do it…

Before we can create our policy, we need to activate Managed Installer. This allows the Intune Management extension to install applications without restrictions. Follow these steps to configure it in your environment:

1. Click on Endpoint Security and then App Control for Business.
2. At the top, click...